eDiscovery in SharePoint 2013 – Part 1: An Introduction

More and more organizations face more and more litigations. Whether they are shareholder lawsuits, fraud cases, or competitive investigations, litigation cases have proven to be costly, time consuming, and business disruptive. The new eDiscovery solution of SharePoint 2013 could really help organizations to lower eDiscovery costs, mitigate risks of data tempering or accidental deletion, and minimize business interruption.

In a series of blog articles I’ll show you the benefits of eDiscovery in SharePoint 2013, the architectural concept of the solution, some important implementation considerations, how to get eDiscovery to work technically in both an on-premises situation and in Office 365, and I’ll walk you through an eDiscovery case lifecycle.

But let’s start at the beginning:

What is eDiscovery?

Electronic discovery is the process to identify, preserve, search, process, and produce electronic content or electronically stored information (ESI) for a legal request or investigation.

Basically when we start a new eDiscovery case, we first want to look for possible relevant data, and make sure this data is not tampered with from that moment on (put it on hold). Next we would want to further refine the data set, do a legal review of this information, and then produce it for use in any legal investigation, compliance audit or policy enforcement in the organisation. Finally, when we are ready with the case, we wouldn’t want to forget to release the hold and formally close the case. In a diagram, this whole process would look as follows:

In SharePoint 2013 (and Exchange 2013), Microsoft did a major overhaul of their eDiscovery solution, resulting in a great tool to support this whole eDiscovery process, without disrupting regular business.

Benefits of using SharePoint 2013 for eDiscovery

With SharePoint 2013 it is possible to run an eDiscovery case on SharePoint, Exchange, Lync, and File Shares (on premises only) at the same time, from one unified central management console. That means it is possible to search, preserve (not for File Shares, we’ll get to that), and export all relevant content of all these repositories from one place.

In SharePoint 2010 it was already possible to perform an eDiscovery process, but this was only SharePoint content related. Exchange 2010 had its own eDiscovery tools. Also, when we would put a site on hold in SharePoint 2010, users would no longer be able to work on the contents of this site. So this was considered a rather business disruptive method.

In SharePoint 2013 these limitations are no longer there. Here’s an overview of what SharePoint 2013, together with Exchange 2013 and Lync 2013, can do for you when it comes to eDiscovery:

SharePoint 2013 has new site templates for both an overall eDiscovery Center, and individual eDiscovery Cases. For every discovery case, you would create a new case site where it is possible to conduct searches, place content on hold, and export content. In addition, you can associate the following things with each case:
1. Sources: Exchange mailboxes, SharePoint sites, or file shares from which content can be discovered.
2. eDiscoverySets: Combinations of sources, filters, and whether to preserve content. eDiscovery Sets are used to identify and preserve content.
3. Queries: The search criteria, such as author, date range, and free-text terms, and the scope of the search. Queries are used to identify content to export.
4. Exports: A list of all of the exports that were produced that relate to the case.

With SharePoint 2013 it is possible to centralize eDiscovery management for multiple SharePoint farms, Exchange servers, and File shares. There are a few caveats here, which we will discuss in Part 2 of this blog series when we talk about architectural concepts and considerations (for example, it is not possible to centralize management for a hybrid environment with SharePoint on-premises and SharePoint Online), but as long as you can add a content source or result source to SharePoint Search, you can discover the content from one console.

When you’ve created your eDiscovery Set and did a first general search for all possible relevant content, you probably want to put that content on hold before you start refining your searches and exporting the final content. You want to make sure that whatever happens with the content from that moment on, the original content stays available for your legal case. From the eDiscovery Center it is possible to put SharePoint 2013 sites and/or Exchange 2013 mailboxes on hold, without disrupting the business. End users shouldn’t be affected when content is put on hold and with SharePoint 2013, they’re not. As soon as a SharePoint 2013 site is put on hold, a hidden Document Library is created. Next, when a user modifies or deletes a content item subject to the legal hold, this is still possible for the user, but the original copy of the content item is copied to that hidden Hold Library. In Exchange 2013 mailboxes the same principle is applied by creating a hidden folder where items are actually moved to when a user deletes an item.

From the SharePoint 2013 eDiscovery Center it is possible to export the results of a search for later import in another review tool. Together will all the exported content, an XML file is created which complies with the Electronic Discovery Reference Model (EDRM) specification. So when external (legal) teams use other tools that also comply with this standard, they can easily import the content and use their own tool for further review and analysis. The following content is included in an export:
1. Documents: Documents are exported from file shares. Documents and their versions (optional) are exported from SharePoint.
2. Lists: If a list item was included in the eDiscovery query results, the complete list is exported as a comma-separated values (.csv) file.
3. Pages: SharePoint pages, such as wiki pages or blogs, are exported as MIME HTML (.mht) files, including styling and mark-up.
4. Exchange objects: Items in an Exchange Server 2013 mailbox, such as tasks, calendar entries, contacts, email messages, and attachments, are exported as a .pst file.

eDiscovery in SharePoint 2013 is rather quick to set up, and easy to use. Of course you need to do some configuration to get SharePoint and Exchange to work together, but this is fairly easy (as you’ll see in one of the next posts in this series). Also, because using the eDiscovery Center is very straightforward, there is no longer the need to burden the IT department with collecting all relevant content in the organization during an eDiscovery process. Legal teams can now be empowered to perform searches and exports themselves. They are able to respond quickly and in full fidelity with real-time data access. Of course there is the matter of governance here, how to handle the required permissions to be able to discover all relevant content, but that’s the case for IT people as well.

Summary

In this post I’ve tried to briefly explain the concept of eDiscovery and what a typical eDiscovery process would look like. Also, I’ve pointed out what’s new in SharePoint 2013 (and Exchange 2013) regarding eDiscovery and how the new eDiscovery Center could really help organizations to quickly respond to cases without disrupting business as usual.

In the next few blog posts I’ll dive more into the architectural concepts of Microsoft’s eDiscovery solution, I’ll talk about some important implementation considerations, how to get eDiscovery to work technically in both an on-premises situation and in Office 365, and I’ll walk you through an eDiscovery case lifecycle.